North Korea-linked hackers likely used the Axios npm compromise to deliver a cross-platform RAT

The Axios npm compromise now appears tied to a North Korea-linked threat cluster, according to multiple security vendors. CrowdStrike attributed the activity to STARDUST CHOLLIMA with moderate confidence, while Google Threat Intelligence Group linked the campaign to UNC1069, a North Korea nexus actor that has targeted cryptocurrency and fintech organizations.

The attack hit on March 31, 2026, when two malicious Axios versions were published to npm after a maintainer account was compromised. Security reporting and the Axios post-mortem identify the poisoned releases as [email protected] and [email protected], both of which pulled in the malicious dependency [email protected].

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Axios maintainer Jason Saayman later said the initial compromise came through a targeted social engineering campaign and remote access malware on his machine. That means the account takeover mechanism appears separate from the later attribution of the malware operation to a North Korea-linked actor.

What happened during the Axios compromise

The malicious packages stayed live for only a short time, but that was enough to create serious risk. Security reporting says the poisoned versions were available for roughly two to three hours before removal, and because Axios is commonly installed automatically through dependency resolution, downstream projects could have pulled the bad versions without developers choosing them directly.

Google said the attackers inserted [email protected] as a dependency and changed the maintainer email on the npm side to an attacker-controlled Proton Mail address. The malicious dependency then contacted attacker infrastructure and fetched a second-stage remote access trojan.

Microsoft said the packages connected to a known malicious domain tied to Sapphire Sleet, which is another name Microsoft uses for the North Korea-linked activity cluster also tracked elsewhere as STARDUST CHOLLIMA or BlueNoroff. That overlap is one reason several vendors now tie the attack to North Korean operators rather than treating it as an unattributed supply chain event.

Why researchers think North Korea was behind it

CrowdStrike says the strongest clue is the malware itself. Its researchers said the attackers deployed updated ZshBucket variants, a malware family CrowdStrike uniquely associates with STARDUST CHOLLIMA, and they also found infrastructure overlap with past STARDUST CHOLLIMA activity.

Google reached a similar conclusion but used a different tracking name. GTIG said the malware was an evolved form of tooling previously used by UNC1069, and the company said the group has a track record of targeting cryptocurrency and decentralized finance firms.

The motive also fits earlier North Korea-linked campaigns. CrowdStrike assessed that the most likely goal was financial gain, which aligns with the long pattern of DPRK-linked intrusion sets targeting exchanges, wallets, fintech infrastructure, and developer ecosystems that can open paths into those sectors.

What the malware could do after installation

Researchers say the compromise did not just drop a simple downloader. CrowdStrike reported that the updated implant could use a JSON-based messaging protocol across Linux, macOS, and Windows, giving operators one control path for all three platforms.

The malware contacted sfrclak[.]com, which resolved to 142.11.206[.]73, and researchers tied that infrastructure to broader North Korea-linked activity. CrowdStrike said the C2 domain shared characteristics with infrastructure previously associated with both STARDUST CHOLLIMA and FAMOUS CHOLLIMA operations.

According to CrowdStrike, the newer implant could inject binary payloads, execute scripts and commands, enumerate the file system, and remove itself when needed. That turns the Axios incident from a one-time package tampering case into a real post-install compromise that could give attackers long-term access to affected developer systems.

Axios compromise at a glance

These details come from vendor investigations and the Axios incident reporting.

What developers and organizations should do

• Check whether any system installed [email protected] or [email protected] during the compromise window.
• Treat affected systems as compromised, not just the package tree. Several vendors said the install path could result in a full RAT infection.
• Rotate secrets, API keys, SSH keys, and tokens exposed to those machines or build agents. Researchers warned that large numbers of secrets may have been exposed.
• Hunt for connections to sfrclak[.]com or 142.11.206.73, and review npm install activity during the March 31 window.
• Review maintainer workstation security and publishing workflows, because the Axios maintainer said the original access came through targeted social engineering on his device.

FAQ